Server data from the Official MCP Registry
MCP server for MyFitnessPal: log, search, and analyze your food diary.
MCP server for MyFitnessPal: log, search, and analyze your food diary.
The MyFitnessPal MCP server is a well-structured reverse-engineering client for an unofficial API. Authentication is properly handled via session cookies stored securely with restricted file permissions, and the codebase demonstrates good input validation and error handling. However, the server's core functionality depends on reverse-engineering MyFitnessPal's endpoints, which creates inherent fragility and potential for service disruption. The auto-refresh feature uses headless browser automation, which is a reasonable approach but introduces subprocess/process risks. Permissions align with the stated purpose (network access, file I/O, environment variables), and no evidence of malicious patterns, credential exfiltration, or arbitrary code execution was found. Supply chain analysis found 2 known vulnerabilities in dependencies (0 critical, 2 high severity). Package verification found 1 issue.
7 files analyzed · 9 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: MFP_COOKIE
Environment variable: MFP_USERNAME
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-mason-levyy-mfp-mcp": {
"env": {
"MFP_COOKIE": "your-mfp-cookie-here",
"MFP_USERNAME": "your-mfp-username-here"
},
"args": [
"mfp-mcp"
],
"command": "uvx"
}
}
}From the project's GitHub README.
Connect MyFitnessPal to Claude or any MCP client. Log meals by talking, search the food database with macros, track trends, and export your nutrition history, all against your real MyFitnessPal diary.
Published on PyPI as mfp-mcp.
Unofficial. MyFitnessPal has no public API; this reverse-engineers the web app's own endpoints. It can break whenever MFP changes their site. Use at your own risk, with your own account.

MyFitnessPal moved behind Cloudflare + NextAuth, which broke the username/password login that most existing integrations rely on. This server:
Connect your account (one-time; prompts you to paste a cookie — see Authentication):
uvx mfp-mcp auth
Add the server to your client.
Claude Code
claude mcp add myfitnesspal -- uvx mfp-mcp
Claude Desktop (claude_desktop_config.json)
{
"mcpServers": {
"myfitnesspal": {
"command": "uvx",
"args": ["mfp-mcp"]
}
}
}
Talk to it: "log a banana as a snack", "what did I eat yesterday?", "chart my weight this month".
Requires uv. Any MCP client that speaks stdio or streamable HTTP works, not just Claude.
MyFitnessPal killed headless password login, so this uses your browser's session cookie:
https://www.myfitnesspal.com.__Secure-next-auth.session-token.mfp-mcp auth prompt (input is hidden).Pasting the entire Cookie: header from any request in the Network tab also
works. Cookies are stored with owner-only permissions in your platform config
dir, or supply them via the MFP_COOKIE environment variable instead.
Sessions last around 30 days. When one expires, either re-run auth — or
enable auto-refresh so you never have to.
With the autorefresh extra, auth also seeds a persistent headless browser
profile. When MyFitnessPal rejects the session mid-call, the server tells your
client it is retrying, boots the profile headlessly, lets MyFitnessPal rotate
the session token, saves the fresh cookie, and retries the call.
uvx --from 'mfp-mcp[autorefresh]' playwright install chromium
uvx --from 'mfp-mcp[autorefresh]' mfp-mcp auth
Then use the same --from 'mfp-mcp[autorefresh]' form in your client config
(e.g. uvx --from 'mfp-mcp[autorefresh]' mfp-mcp).
| Tool | What it does |
|---|---|
fitness_get_day | Nutrition totals, diary entries, and feel note for a day |
fitness_search_food | Candidate matches with brand, calories, macros, serving, and ids |
fitness_log_food | Log a food to the real diary (top match, or an exact search candidate) |
fitness_delete_food | Remove a diary entry by name match |
fitness_modify_food | Replace an entry (or change its quantity) |
fitness_log_weight | Log a weight measurement (updates the same day on re-log) |
fitness_get_exercise | Read the exercise diary (cardio + strength) |
fitness_log_feel | Save a subjective "how I feel" note (stored locally, never sent to MFP) |
fitness_get_trends | One metric over a date range: weight, calories_in, protein, carbs, fat |
fitness_bulk_export | Whole date range in one call, for analysis |
The high-accuracy logging flow: fitness_search_food("greek yogurt") returns
candidates with macros and a food_id/weight_id; pass those to
fitness_log_food to log exactly that item instead of trusting the top match.
Day summaries and trends read from a local SQLite cache that gap-fills from MyFitnessPal (first call on a fresh install fetches up to 30 days, one request per day — subsequent calls are fast).
Water intake is read-only (it appears in day summaries): MyFitnessPal's water
write isn't exposed on any endpoint we've found — /food/water accepts POSTs
but ignores them. If you capture the real call in your browser, a PR is very
welcome.
The default transport is stdio. For network clients:
mfp-mcp --http --host 127.0.0.1 --port 8484
This serves streamable HTTP at /mcp. There is no built-in authentication —
never expose it to the internet. Bind to localhost and front it with
something that authenticates for you: a VPN/tailnet (e.g. tailscale serve),
an authenticating reverse proxy, or an OAuth-aware MCP gateway.
| Variable | Purpose | Default |
|---|---|---|
MFP_COOKIE | Session cookie (full header or bare token); overrides the saved file | – |
MFP_USERNAME | Your MFP username (not email); only needed if profile lookup fails | auto-detected |
MFP_IMPERSONATE | curl_cffi browser fingerprint (try chrome124 on 403s) | chrome |
MFP_SYNC_DAYS | Gap-fill lookback window in days | 30 |
MFP_MCP_DATA_DIR | Where the SQLite cache + browser profile live | platform data dir |
MFP_IMPERSONATE=chrome124 (or another
curl_cffi target).
Datacenter IPs get challenged far more than residential ones.mfp-mcp auth, or set up
auto-refresh.MFP_USERNAME to your username (not your email).curl_cffi
session that impersonates Chrome's TLS fingerprint so Cloudflare lets it
through with just the NextAuth session cookie.food_id/weight_id that /food/add accepts, and deletes go
through /food/remove with the page CSRF token.git clone https://github.com/Mason-Levyy/myfitnesspal-mcp
cd myfitnesspal-mcp
uv sync --extra autorefresh
uv run pytest
Tests run against synthetic MyFitnessPal HTML/JSON fixtures — no account needed.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.